CVE-2021-43206: 
FortiOS vulnerability analysis and mitigation

A server-generated error message vulnerability (CVE-2021-43206) was discovered in Fortinet FortiOS versions 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.x, 6.0.x and FortiProxy versions 7.0.0 through 7.0.1, 2.0.x. The vulnerability was published on May 3, 2022, and received a CVSS v3.1 base score of 4.3 (Medium severity) (NVD).

The vulnerability is classified as CWE-209 (Generation of Error Message Containing Sensitive Information). It allows malicious webservers to retrieve a web proxy's client username and IP address through same-origin HTTP requests that trigger proxy-generated HTTP status code pages. The vulnerability has been assigned a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, indicating network accessibility, low attack complexity, and user interaction requirement (NVD).

The primary impact of this vulnerability is information disclosure, where sensitive information about web proxy clients, including usernames and IP addresses, could be exposed to malicious actors. This exposure could potentially lead to privacy breaches and could be used as part of larger targeted attacks (Fortiguard).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade FortiOS to versions 7.0.4 or later, 6.4.9 or later, and FortiProxy to versions 2.0.8 or later, or 7.0.2 or later (Fortiguard).